Your AI Chat History is Discoverable

In February, a federal judge in the Southern District of New York held that AI chat conversations aren’t privileged and aren’t work product. The defendant in the case was a criminal defendant, but the court’s reasoning applies to any person or company who types sensitive information into a chatbot.

If you’re using Claude, ChatGPT, Gemini, or any other consumer AI product, your prompt history is discoverable. Investigation notes, PIP language, classification analyses, engagement-term review, all of it subject to subpoena. This is a liability problem we need to solve this week, and the solution starts with better AI hygiene.

The Background

Bradley Heppner was indicted in the Southern District of New York on securities fraud, wire fraud, and falsifying corporate records related to his role at GWG Holdings. After he retained defense counsel, he started using the consumer version of Claude to work through aspects of his defense on his own. He typed prompts about his case, got responses, and kept printouts of prompt-and-output documents.

The FBI found those printouts during a home search. The government wanted to use them. Heppner’s lawyers fought to exclude them, arguing attorney-client privilege and work product protection. The court rejected both arguments.

The ruling was the first of its kind. No federal court had previously addressed whether AI-generated documents are privileged.

The Legal Analysis

Three doctrines were at stake: attorney-client privilege, work product, and the Kovel extension. All three failed.

Attorney-Client Privilege

Attorney-client privilege protects confidential communications between a client and their lawyer made for the purpose of getting legal advice. The court found that fails at every step when the other party in the conversation is a chatbot.

  1. Claude isn’t a lawyer. It can’t form an attorney-client relationship. As the court put it, privilege requires a trusting human relationship with a licensed professional who owes fiduciary duties. An AI platform has neither.
  2. There’s no confidentiality. Anthropic’s consumer terms, the ones most of us click through without reading, reserve the right to use inputs for model training and to disclose data to third parties, including law enforcement. Anthropic’s privacy policy says they may comply with governmental, court, and law enforcement requests and reserve the right to report your inputs and outputs to law enforcement. That’s the deal you agreed to. You can’t claim a reasonable expectation of confidentiality when the terms explicitly tell you your data isn’t confidential.
  3. Timing. Heppner created these documents on his own, then shared them with his lawyers. The court was emphatic on this point: documents that aren’t privileged when you create them don’t become privileged just because you hand them to your lawyer later. Privilege attaches at creation or not at all.

Work Product Doctrine

This is the backup argument, and it has a different structure. Work product protects materials prepared by or at the direction of an attorney in anticipation of litigation.

Heppner used Claude on his own initiative, without his attorneys telling him to or supervising how he did it. The court said extending work product to a client’s independent AI research would gut the doctrine’s purpose, which exists to protect lawyers’ mental processes, not everything a client does while thinking about their case.

Kovel

The court cited a 1961 Second Circuit case that extends privilege to third-party experts hired by a lawyer to help deliver legal advice: accountants, translators, consultants.

The court suggested that if Heppner’s lawyers had directed him to use Claude, supervised the process, and structured it as a tool for the legal team’s work, privilege might have attached. Claude could arguably function like those third-party experts whose work is privileged because it’s done under attorney supervision.

But that’s dicta (ancillary to the actual point of the case). No court has tested the Kovel path for AI.

Review Your Chat History Now

Look at what’s actually in your AI chat history. Investigation summaries you drafted. PIP language you workshopped. Termination memos you pressure-tested. Classification analyses where you fed in the facts of a client’s arrangement and asked whether the workers are properly classified. Engagement agreements you pasted in to check restrictive covenants or indemnification language.

Every one of those prompts is sitting on a third party’s servers. And unlike a Google search, an AI chat exposes your full reasoning chain. The question you asked, the analysis you received, the follow-ups where you pushed on the weak points. It’s your internal thought process, externalized and preserved on someone else’s infrastructure.

That creates three distinct exposures.

  1. Negligence Documentation Risk: If the AI flagged a legal risk—say, that a client’s independent contractor arrangements look like they’d fail the ABC test—and you didn’t surface that to the client, the chat log is discoverable evidence. It could be used to argue you knew, or should have known, because you asked the question and got the answer.
  2. Confidentiality Waiver Risk: If you pasted client details into a consumer chatbot, you may have just waived confidentiality over that information. The data lives on a third party’s servers under terms that explicitly disclaim confidentiality.
  3. Professional Judgment Risk: If the AI got the analysis wrong and you passed it along without checking, the chat log is the evidence. It shows exactly which outputs you relied on and how little independent verification you did.

The retention math makes it worse. If you’re on consumer Claude (not enterprise) and you opted into model training when Anthropic updated its terms last year, your data is retained for up to five years. Even if you didn’t opt in, 30-day retention means data exists long enough for a litigation hold or subpoena to catch it.

And Anthropic’s terms say that upon account termination, they may at their option delete your data. May. (Comforting.)

What Should You Do

Strip Specifics

Strip the names. Strip the facts. Strip anything that could identify a client before it goes into a consumer tool. If you’re not on an enterprise plan with a data processing agreement, assume everything you type is discoverable and act accordingly.

What “scrubbed” actually looks like:

  • Before: ABC Corp, a 50-person fintech in Delaware, wants to terminate their VP of Engineering Sarah Chen for performance issues. She’s on a PIP that ends April 15. They paid her $185k base. Should we be worried about retaliation since she filed an HR complaint about her director in February?
  • After: A small fintech wants to terminate a senior leader for performance issues. They’re on a PIP that ends in two weeks. The employee filed an HR complaint against their manager about two months ago. Retaliation risk?

The strip list: client and company names, employee names, specific titles paired with industry, specific dates that could anchor a timeline, specific dollar amounts, jurisdiction if it’s narrow enough to identify the client. Anonymize first. Then prompt.

Audit Your AI Stack

Audit your AI stack and delete what you don’t need. This week, list every AI tool you use, consumer or enterprise, and check the retention setting on each. For consumer tools you’ve been using on client work, scroll back through the prompt history and identify anything that names a client, an employee, or specific investigation facts. That’s your exposure map.

Delete consumer AI conversations after you’ve extracted what you need going forward. Don’t let a six-month archive of client work accumulate on a platform whose terms give you no control.

One important caveat: if you have active client matters that could end up in litigation or are subject to a hold, don’t mass-delete. Consult counsel before clearing chat history. Preservation obligations apply to AI logs the same way they apply to email, and deleting after a duty to preserve has attached is a spoliation problem, not a solution.

Use Temporary Chat Modes

Use temporary chat modes for anything sensitive. Most consumer platforms now offer a temporary or ephemeral chat option that doesn’t save to history or get used for training.

Make that your default for client-related work, even after you’ve scrubbed the prompt. It’s a second layer of hygiene that costs you nothing.

Update Agreements

Update your engagement agreements. Add a clause covering your AI use: what tools you use, what data handling protections are in place, what the client should know about discoverability of AI-assisted work. This is transparency and depending on how it’s drafted, it can help limit your exposure.

Have an attorney review the specific clause language before adding it to your template. A poorly drafted AI-disclosure provision can create liability rather than limit it.

How to Advise Your Clients

Your clients have a bigger version of the same problem, and most of them haven’t heard of this ruling.

Right now, managers across your client organizations are using AI tools to draft RIF rationale, brainstorm accommodation responses, model layoff scenarios, summarize investigation interviews, and analyze difficult employees. Every one of those prompts is a discoverable admission.

AI chats are worse than email in one specific way: they capture the unfiltered version of a manager’s thinking. The question someone would never put in a formal document or ask HR directly, they’ll ask a chatbot.

As one employment attorney warned after the ruling, litigants and agencies will start asking companies to produce AI prompts and outputs from HR teams. The question is whether your clients are ready when that request lands.

Three things need to change in most client organizations.

Acceptable-use policies need a discovery section. Most corporate AI policies, to the extent they exist, focus on data security and accuracy. Almost none address the fact that AI chat logs are discoverable records. The policy needs to cover four things:

  • Which tools are approved (enterprise only for anything touching HR, legal, or sensitive business matters)
  • What categories of information can’t be entered (employee PII, investigation details, legal analysis, RIF planning)
  • Who reviews AI output before anyone acts on it
  • How AI logs fit into record retention

Litigation hold scope must expand. When a company receives a litigation hold notice, the custodians whose data gets preserved typically include email, documents, texts, and Slack. AI chat logs are almost never included.

After this ruling, opposing counsel will ask for them. If the company didn’t preserve, opposing counsel has a spoliation argument, and that’s a conversation for the client’s litigation counsel. Flag it now: the hold notice should name specific AI platforms by name (Copilot, ChatGPT, Claude, Gemini, whatever the organization uses).

The Upjohn warning needs an AI clause. If your client runs internal investigations, tell employees and managers not to put investigation details into any AI tool unless counsel says to. An employee who types investigation details into a consumer chatbot has just created a discoverable record outside the company’s document management system and outside any litigation hold.

What Needs to Change

Enterprise-tier AI products are designed for organizations and priced for them. A Claude Pro or ChatGPT subscription costs $20 a month. An enterprise deployment with a data processing agreement costs orders of magnitude more and requires a procurement process designed for companies, not solopreneurs.

The result is a two-tier system. Organizations with resources get AI tools that may preserve confidentiality. Independent workers get consumer tools whose terms actively undermine it. Heppner tells independent professionals their work product is discoverable and their clients’ confidential information may be compromised, but the solution is priced out of reach.

This is a market access and economic fairness issue, and it’s one the freelancer advocacy space hasn’t surfaced yet. I see three paths worth pushing.

  1. First, advocacy for AI providers to offer a professional tier, enterprise-grade data handling at a price point accessible to solopreneurs. The distinction between a $20/month consumer account and a five-figure enterprise contract shouldn’t be whether your client’s confidential information gets used for model training. There’s a middle ground, and providers have a commercial incentive to find it if independent professionals start demanding it.
  2. Second, collective access. Organizations like FPP and Freelancers Union could negotiate group purchasing agreements for enterprise AI tools, and the model already exists for group health insurance and liability coverage. If individual practitioners can’t negotiate enterprise terms, maybe we negotiate collectively.
  3. Third, policy. Minimum data handling standards for AI tools used in professional contexts would prevent consumer terms from being weaponized to destroy confidentiality. If a professional uses an AI tool in the course of delivering professional services, the provider’s terms shouldn’t be able to waive confidentiality over the client information processed through it. That’s a regulatory question, and it’s one that hasn’t been asked yet.

The AI providers aren’t going to ask it. Their commercial incentive is to position enterprise tiers as the solution, which happens to be their most profitable product. If the question gets asked, it’ll be asked by the people who are getting squeezed: independent professionals who need professional-grade tools at professional-grade prices. That’s us.

While every conversation on a consumer platform is a discoverable record, you can change the discoverability equation by controlling the tool you use and the terms you use it under. Audit your stack, lock down your hygiene, and push your clients to do the same.

Take Control of Your AI Risk Before It Becomes a Legal Problem

AI isn’t going away, and neither is the risk that comes with using it the wrong way.

Right now, your chat history could be exposing sensitive client data, internal reasoning, and decisions that were never meant to be seen outside your organization. And once it’s discoverable, you don’t get to take it back.

If you’re using AI in any capacity across legal, HR, or business operations, now is the time to tighten your process.

I help organizations:

  • Audit their current AI usage and exposure
  • Implement safer prompting and data-handling workflows
  • Update internal policies to reflect real legal risk
  • Align AI use with confidentiality, compliance, and operational standards

Don’t wait until a subpoena forces the issue. Contact me today to review your AI practices and build a safer, smarter approach, before your data becomes evidence.

Facebook
Twitter
LinkedIn
Email
Picture of Bryan J. Driscoll

Bryan J. Driscoll

Bryan Driscoll is a non-practicing lawyer, seasoned HR consultant, and legal content writer specializing in innovative HR solutions and legal content. With over two decades of experience, he has contributed valuable insights to empower organizations and drive their growth and success.

Newsletter

Gain valuable insights from a seasoned expert in HR and business operations.

Subscribe to my newsletter for the latest tips on employment law compliance, talent management, and business efficiency.

Subscribe Now

Recent Posts:

Schedule a Consultation and Unlock Your Full Potential

Contact Me
close menu icon

Stay ahead with our expert insights!